Detection rules › Kusto Query Language

PE file dropped in Color Profile Folder

Author: Pete Bryan
Source: upstream

'This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1203` Exploitation for Client Execution

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate
Security-Auditing	4663	An attempt was made to access an object.
Defender-DeviceFileEvents	9002001	File created

Stages and Predicates

Stage 1: `source`

DeviceFileEvents

Stage 2: `where`

ActionType eq "FileCreated"

Stage 3: `where`

FolderPath match "C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\"

Stage 4: `where`

or
  FileName ends_with ".dll"
  FileName ends_with ".exe"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ActionType`	eq	`FileCreated`
`FileName`	ends_with	`.dll` `.exe`
`FolderPath`	match	`C:\\Windows\\System32\\spool\\drivers\\color\\`

PE file dropped in Color Profile Folder

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: where

Indicators

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`